CVE-2026-28221: Buffer Overflow in Wazuh 4.8.0 - 4.14.4
Platform
linux
Component
wazuh
Fixed in
4.14.4
CVE-2026-28221 describes a buffer overflow vulnerability discovered in Wazuh, a threat prevention, detection, and response platform. This flaw, residing within the wazuh-remoted component, can be triggered by specially crafted input, potentially leading to a denial of service or, in more severe scenarios, arbitrary code execution. The vulnerability affects Wazuh versions 4.8.0 up to, but not including, version 4.14.4. A patch is available in version 4.14.4.
Impact and Attack Scenarios
The buffer overflow occurs within the printhexstring() function when formatting attacker-controlled bytes. The vulnerability stems from the use of sprintf with insufficient bounds checking. On systems where char is treated as a signed type, input bytes like 0xFF can be sign-extended, causing sprintf to write beyond the allocated buffer size. This out-of-bounds write can overwrite critical memory regions, leading to a denial of service by crashing the wazuh-remoted process. Successful exploitation could also allow an attacker to inject and execute arbitrary code, gaining control of the Wazuh host and potentially pivoting to other systems within the network. The blast radius is dependent on the Wazuh host's network access and privileges.
Exploitation Context
CVE-2026-28221 was published on April 29, 2026. Its severity is currently assessed as medium (CVSS 6.5). There is no indication of this vulnerability being listed on KEV or having a high EPSS score, suggesting a relatively low probability of immediate exploitation. As of the publication date, no public proof-of-concept exploits have been released. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Threat Intelligence
Exploit Status
EPSS
0.07% (21% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-28221 is to upgrade Wazuh to version 4.14.4 or later. Prior to upgrading, it's crucial to review Wazuh's upgrade documentation and test the upgrade in a non-production environment to ensure compatibility with existing integrations and configurations. If an immediate upgrade is not feasible, consider implementing input validation on the data being processed by wazuh-remoted to prevent the injection of malicious bytes. While a WAF or proxy cannot directly address this vulnerability, they can be configured to block suspicious traffic patterns associated with potential exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable code path with a known malicious input and verifying that the buffer overflow no longer occurs.
How to fix
Actualice Wazuh a la versión 4.14.4 o superior para mitigar el riesgo de desbordamiento de búfer en la función print_hex_string(). Esta actualización aborda la vulnerabilidad al corregir la forma en que se manejan los bytes de entrada y evitar la extensión de signo incorrecta. Verifique la documentación oficial de Wazuh para obtener instrucciones detalladas de actualización.
Frequently asked questions
What is CVE-2026-28221 — Buffer Overflow in Wazuh?
CVE-2026-28221 is a medium-severity buffer overflow vulnerability affecting Wazuh versions 4.8.0 through 4.14.3. It allows an attacker to potentially cause a denial of service or execute arbitrary code by exploiting improper input handling within the wazuh-remoted component.
Am I affected by CVE-2026-28221 in Wazuh?
You are affected if you are running Wazuh versions 4.8.0 through 4.14.3. Verify your Wazuh version using the wazuh-version command and upgrade to 4.14.4 or later if necessary.
How do I fix CVE-2026-28221 in Wazuh?
The recommended fix is to upgrade Wazuh to version 4.14.4 or a later version. Review Wazuh's upgrade documentation and test the upgrade in a non-production environment before applying it to production systems.
Is CVE-2026-28221 being actively exploited?
As of the publication date, there are no public reports of CVE-2026-28221 being actively exploited. However, it's crucial to monitor security advisories and threat intelligence feeds for any changes.
Where can I find the official Wazuh advisory for CVE-2026-28221?
Refer to the Wazuh security advisories page for the latest information and official guidance regarding CVE-2026-28221: [https://www.wazuh.com/security-advisories/](https://www.wazuh.com/security-advisories/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...